Police Scotland Hit by Multiple Data Breaches Involving Sensitive Personal Information

A Freedom of Information (FOI) request submitted by data protection specialists at LSS revealed that 10 breaches were reported by the force to the Information Commissioner’s Office (ICO) during that period. The incidents affected both members of the public and police staff.

Compromised information included names, addresses, dates of birth, contact details, photographs, fingerprints, health data, and vehicle registration details. Several of the breaches also involved failures to meet GDPR requirements for fair, transparent, and secure processing of personal data.

According to the FOI findings, 2024 was the worst year on record for Police Scotland, with multiple incidents reported to the regulator. A further two breaches have already been recorded in 2025.

In response, the force said it had implemented remedial measures including staff advice and guidance, refresher training, and reviews of recording, storage, and departmental practices aimed at preventing recurrence.

Gary Noble from LSS warned that the scale of sensitive data handled by public bodies makes vigilance essential.

“In today’s digital landscape, organisations handle vast amounts of sensitive information. From personal details like names and addresses to health records and biometric data, the consequences of a data leak can be devastating,” he said.

“Beyond damaging public trust, breaches can lead to significant financial penalties under GDPR, as well as long-term reputational harm. Taking proactive steps to secure systems and educate staff is therefore vital to prevent such incidents.”

To help public sector organisations strengthen their data protection posture, Noble outlined five key measures to reduce the risk of data breaches:

1. Regular staff training: Ensure all employees understand how to handle sensitive data securely and recognise the risks of mishandling information.
2. Strong access controls: Limit access to sensitive data strictly to those who need it, and regularly review permissions.
3. Encryption and secure storage: Protect data both at rest and in transit with encryption, and avoid retaining unnecessary personal information.
4. Routine audits and testing: Conduct regular security audits, penetration tests, and GDPR compliance checks to identify and address vulnerabilities.
5. Incident response planning: Maintain a clear breach response procedure to ensure rapid action, damage mitigation, and timely notification to regulators if required.

The revelations come amid growing pressure on public sector organisations to strengthen cybersecurity and data governance, particularly as they manage increasing volumes of personal and biometric information.